Discovering .node Files

There are several ways to identify .node files on a system. In this example, System Informer is used. Open the tool, select “Find handles or DLLs”, and search for .node. The screenshot below highlights all .node modules loaded on a host running Slack.

Understanding .node Exports

After locating the target .node file, the next step is to examine its exports. Various tools can accomplish this, but the screenshot below displays the exported functions of keymapping.node viewed in Ghidra’s symbol tree.

Configuring DripLoaderNG

In the main.cpp file, create a linker reference for each exported function. Use the following format:

• Example: (linker, “/export:napi_register_module_v1=nativebindings.node.napi_register_module_v1,@1”)
• Format: (linker, “/export:[Export]=[Normal .node file].napi_register_module_v1,@[number of export]”)